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Foreword 



rd , 



This Technical Specification has been produced by the 3 Generation Partnership Project (3GPP). 

The contents of the present document are subject to continuing work within the TSG and may change following formal 
TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an 
identifying change of release date and an increase in version number as follows: 

Version x.y.z 

where: 

X the first digit: 

1 presented to TSG for information; 

2 presented to TSG for approval; 

3 or greater indicates TSG approved document under change control. 

y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, 
updates, etc. 

z the third digit is incremented when editorial only changes have been incorporated in the document. 



£75/ 



3GPP TS 29.1 09 version 6.4.0 Release 6 5 ETSI TS 1 29 1 09 V6.4.0 (2005-09) 



Scope 



The present stage 3 specification defines the Diameter based implementation for bootstrapping Zh interface (BSF-HSS) 
and Dz interface (BSF-SLF) for HSS resolution for the BSF, and GAA Application Zn interface (BSF-NAF) in Generic 
Authentication Architecture (GAA). The definition contains procedures, message contents and coding. The procedures 
for bootstrapping and usage of bootstrapped security association are defined in 3GPP TS 33.220 [5]. 

This specification is a part of the Generic Authentication Architecture (GAA) specification series. 

The diameter based implementation is based on re-usage of Cx interface Multimedia- Auth-Request/ Answer messages 
originally between CSCF and HSS. These messages are defined in 3GPP TS 29.229 [3]. The 3GPP IMS mobility 
management uses the same definitions between CSCF and HSS. The present document defines how the defined 
messages are used with the bootstrapping and GAA application procedures (e.g. subscriber certificates) and the 
application logic that is needed in GAA network elements (BSF, HSS, and NAF). 
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Figure 1 . 1 depicts the relationships of these specifications to the other specifications. 
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Figure 1 .1 : Relationships to other specifications 

Figure 1.2 provides an informal overall quick introduction to the whole signalling procedures in GAA system. The 
important identifiers are marked bold and optional data items are italicised. The Ub and Ua interfaces, not defined in 
this TS , are simplified. 
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Definitions, symbols and abbreviations 



3.1 Definitions 

For the purposes of the present document, the terms and definitions given in 3GPP TS 23.008 [10], 3GPP TR 33.919 
[4], 3GPP TS 33.220 [5] apply with following additions. 

Bootstrapping information (Bootstrapped data) in a BSF consists of a bootstrapping transaction identifier (B-TID), a key 
material (Ks), the key lifetime (expiry time), the boostrapinfo creation time, the IMPI and the GUSS (if received from HSS) 
with BSF control information. Each bootstrapping procedure creates a bootstrapped data entity with B-TID as retrieval 
key.. 

GAA application is an application that uses the security association created by GBA Bootstrapping procedure. 

GAA service is an operator specific end user service that uses the security association created by GAA Bootstrapping 
procedure. GAA services are identified by GAA Service Identifiers. A GAA service is implemented using some 
standardised or propriatary GAA application defined by GAA application type. 
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NAF specific Bootstrapping information transferred from a BSF to a NAF contains NAF and its service specific parts 
from bootstrapped data and needed key information derived from the bootstrapped data. 

Service/Application. The term service is used here in its common meaning. A service is something that a MNO offers 
to subscribers. GAA Services are identified by GAA Service Identifier (GSID). In stage 2 documents ([4], [5], [6] and 
[11]) the term application is used in the same meaning i.e. MNOs offer applications to subscribers. There is a reason to 
avoid the usage of the term application here. The application is an already reserved term in Diameter. In Diameter 
applications are identified by Application Identifiers. 



3.2 Symbols 



For the purposes of the present document, the terms and definitions given in 3GPP TS 23.008 [10]. 



3.3 



Abbreviations 



For the purposes of the present document, the following abbreviations apply: 

AK Anonymity Key 

AKA Authentication and Key Agreement 

AUTN Authentication token 

AV Authentication Vector. 3GPP AV=[RAND,AUTN,XRES,CK,IK]. 

AVP Attribute-Value-Pair in Diameter messages. 

BIA Bootstrappinglnfo- Answer message 

BIR Bootstrappinglnfo-Request message 

BS Bootstrapping Procedure 

BSF Bootstrapping server functionality 

BSF is hosted in a network element under the control of an MNO. 

B-TID Bootstrapping Transaction Identifier 

CA Certificate Authority 

CK Confidential Key 

FQDN Full QuaUfied Domain Name in URI (e.g. http://FQDN:80) 

GAA Generic Authentication Architecture 

GBA Generic Bootstrapping Architecture 

GSID GAA Service Identifier 

GUSS GBA User Security Settings 

HSS Home Subscriber System 

IK Integrity Key 

IMPI IP Multimedia Private Identity 

IMPU IP Multimedia PubUc Identity 

Ks Key Material 
Ks_ext_NAF MEbased key for a specific NAF 

MNO Mobile network operator 

NAF Operator-controlled network application function functionality. 

NAF is hosted in a network element under the control of an MNO. 

RAND Random challenge in authentication 

REQ In Diameter header indicates that the message is a Request. 

SCTP Stream Control Transmission Protocol 

SLF Subscription Location Function 

SSC Subscriber Certificate Procedure 

Ua UE-NAF interface for GAA applications 

Ub UE-BSF interface for bootstrapping 

UE User Equipment 
Ks_int_NAF UICC based key for a specific NAF 

USS User Security Settings (a part of GUSS) 

XRES Expected response in authentication 

Zh BSF-HSS interface for bootstrapping procedure 

Zn BSF-NAF interface for GAA applications. 
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4 GBA Bootstrapping Zh interface 

4.1 Generic bootstrapping network architecture 

The network architecture of the Bootstrapping procedure is presented in Figure 4. 1 . The interface Ub (bootstrapping) is 
defined in 3GPP TS 24.109 [7] and the interface Zh in this specification. 



UE -Ub- BSF -Zh 



HSS 



Figure 4.1 : Network architecture of bootstrapping procedure 

The protocol stack of the Zh interface in Bootstrapping procedure is presented in Figure 4.2. The Diameter Base 
protocol is defined in [1] and the Diameter application in 3GPP TS 29.229 [3]. The requirements for Zh interface are 
defined in 3GPP TS 33.220 [5]. 
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Figure 4.2: Protocol stacl< of Zh interface 



4.2 



Protocol Zh between BSF and HSS 



The requirements for Zh interface are defined in 3GPP TS 33.220 [5]. 

The Bootstrapping Zh interface performs the retrieval of an authentication vector and possibly GBA User Security 
Settings from the HSS. The overall Bootstrapping procedure is depicted in Figure 4.3. The basic procedure is: 

A) A UE starts the bootstrapping procedure by protocol Ub with a BSF giving the IMPl of the user (see 3GPP TS 
24.109 [7]). 

B) The BSF starts protocol Zh with user"s HSS 

• The BSF requests user"s authentication vector and GBA User Security Settings(GUSS) corresponding to 
the IMPL 

• The HSS supplies to the BSF the requested authentication vector and GUSS (if any). 

NOTE: If there is more than one HSS deployed within the network, the BSF may have to contact the SLF using 
the Dz interface prior to sending the request for information to the HSS (see section 6.4). 

C) The BSF continues the protocol Ub with the UE (see 3GPP TS 24.109 [7]). 
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Figure 4.3: The GBA bootstrapping procedure 



The steps of the bootstrapping procedure in Figure 4.3 are: 

Stepl 

The BSF shall send the following Bootstrapping-Request to the HSS in the format of Multimedia-Auth-Request (MAR) 
message. The content of the message is given below in the same format as in 3GPP TS 29.229 [3]. The curly brackets 
indicate mandatory AVPs. The square brackets indicate optional AVPs. The 'address of refers to the Fully Qualified 
Host Name (FQDN). 



<Mu It imedia-Auth-Re quest > 



=<Diameter Header: 303, REQ, PXY, 16777221 > 



< Session-Id > 

Vendor-Specif ic-Application-Id 

Auth-Session-State } 

Origin-Host } 

Origin-Realm } 

Destination-Realm } 

Destination-Host ] 

User-Name } 
[ AVP ] 

[ Proxy-Info ] 
[ Route-Record ] 



NO_STATE_MAINTAINED 
Address of BSF 
Realm of BSF 
Realm of HSS 
Address of the HSS 
IMPI from UE 



The content of mandatory Vendor-Specific-Application-ID according [1] is: 

<Vendor-Specif ic-Application-Id> : : =<AVP header: 260> 
1* [Vendor-Id] 
0*1 {Auth-Application-Id} 
0*1 {Acct-Application-Id} 



3GPP is 10415 

16777221 

Omitted 
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When determining the value of Destination-Host AVP the BSF can use redirector function (SLF) to resolve the address 
of the HSS if needed (see 3GPP TS 29.229 [3]). The BSF shall set the Auth-Session-State AVP to 
NO_STATE_MAINTAINED to inform that the HSS does not need to maintain any status information for this session 
according 3GPP TS 29.229 [3]. The User-name is the IMS Private User Identity (IMPI) as required in 3GPP TS 29.228 
[2]. 

Step 2 

When the HSS receives the MAR message, the HSS shall derive the user Authentication Vector (AV) information 
according the IMPI and populates it into SIP-Auth-Data AVP as defined in 3GPP TS 29.229 [3]. If GUSS exists for the 
IMPI, the HSS shall also fetch the GUSS into the GBA-UserSecSettings AVP. 

The MAR/MAA sequence in the Zh interface must not change possible status information of the possible 
simultaneously ongoing IMS MM application sessions in the HSS. 

If the User-Name (IMPI) from the BSF is totally unknown to the HSS, the error situation 5401 is raised. 

Step 3 

The HSS shall send the following Bootstrapping-Answer message in the format of Multimedia- Auth- Answer (MAA) 
message back to the BSF. 

< Multimedia-Auth-Answer> ::= < Diameter Header: 303, PXY, 16777221 > 
< Session-Id > 

{ Vendor-Specif ic-Application-Id } 
[ Result-Code ] 
[ Experimental-Result] 

{ Auth-Session-State } ; NO_STATE_MAINTAINED 

{ Origin-Host } ; Address of HSS 

{ Origin-Realm } ; Realm of HSS 

[ User-Name ] ; IMPI 

*[ SIP-Auth-Data-Item ] 

[ GBA-UserSecSettings ] ; GUSS 

* [ AVP ] 
* [ Proxy-Info ] 
* [ Route-Record ] 

The HSS shall set the mandatory Auth-Session-State AVP to NO_STATE_MAINTAINED because the HSS does not 
maintain any state information about this session and the BSF does not need to send any session termination request 
3GPP TS 29.229 [3]. The User-name AVP (IMPI) may be sent back for checking. The required authentication vectors 
are sent in the SIP-Auth-Data-Items AVP. The security settings of user"s all GAA applications are sent in GBA- 
UserSecSettings AVP. 

Step 4. 

When the BSF receives the MAA message, the BSF generates the needed key material (Ks) from confidential key (CK) 
and integrity key (IK) as described in 3GPP TS 33.220 [5] and stores temporarily the tuple <IMPI,Ks,GBA- 
UserSecSettings> for further use in GAA applications. The rest of the bootstrapping procedure in Ub interface will later 
add also the Bootstrapping Transaction Identifier (B-TID) to that tuple as key and the key lifetime (expiry time). 
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5 GAA Application Zn interface 

5.1 Applications" network architecture 

The network architecture of the GAA appHcations procedure is presented in Figure 5.1. The 3GPP GAA appHcations 
are hsted in annex B. Different GAA applications may implement the Ua interface in different way. The Zn interface is 
defined in this specification. 



UE 



— Ua— NAF — Zn— BSF 



Figure 5.1 : Network architecture of GAA application 

The protocol stack of the Zn interface for GAA applications is presented in Figure 5.2. The diameter Base protocol is 
defined in [1] and the Diameter application in 3GPP TS 29.229 [3]. The requirements for Zn interface are defined in 3GPP 
TS 33.220 [5]. 
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Figure 5.2: Protocol stack of Zn interface 



5.2 



Protocol Zn between NAF and BSF 



The requirements for Zn interface are defined in 3GPP TS 33.220 [5]. 

The protocol Zn retrieves the key material and possibly user security settings data by NAF from BSF. After UE is 
authenticated with the BSF, every time the UE wants to interact with an NAF the following steps are executed as 
depicted in Figure 5.3. The basic procedure is: 

A) The UE starts protocol Ua (see 3GPP TS 33.220 [5]) 

• In general, the UE and the NAF will not yet share the key(s) required to protect protocol Ua. If they already 
do, there is no need for the NAF to invoke protocol Zn. 

• It is assumed that UE supplies sufficient information to NAF, i.e. the Bootstrapping Transaction Identifier 
(B-TID), to allow the NAF to retrieve specific key material (e.g. Ks_NAF in the case of GBA_ME, and 
Ks_ext_NAF or Ks_int_NAF or both in the case of GB A_U) from BSF. 

• The UE derives the keys required to protect protocol Ua from the key material. 

B) The NAF starts protocol Zn with BSF 

• The NAF requests NAF specific key material corresponding to the information supplied by the UE to the 
NAF (i.e. the bootstrapping transaction identifier) in the start of protocol Ua. 
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• The BSF generates and supplies to the NAF the requested NAF specific key material, the expiry time , the 
bootstrapinfo creation time, and the appropriate User Security Settings defined for received application 
identifiers. 

C) The NAF continues protocol Ua with the UE (see 3GPP TS 33.221 [6]) 

Once the run of protocol Ua is completed the purpose of bootstrapping is fulfilled as it enabled UE and NAF to run 
protocol Ua in a secure way. 



The common GAA application procedure is presented in Figure 5.3. 



UEn ua fnaf 



Zn 



BSF 



UE knows: 
< B-TID .Ks> 



{ a security association 
created by bootstrapping } 



BSF has tuple: 
< B-TID ./MP/.Ks. 
ME-Ks, UICC-Ks,GUSS> 



UE start the GAA application procedure 
by sending a B-TID. 



GUSS is 

GBA User Security Settings. 

GSID is 

GAA Service Indentifier. 



1. Bootstrapping-lnfo-Request 
( B-TID, GSID*, NAF-Hostname ) 



2. BSF checks the B-TID 

and derives 
ME-Key and UlCC-Key 



UE and NAF mutually authenticate 
each others using ME-Ks 



3. Bootstrapping-lnfo-Answer 

( IMPI, Key-ExpiryTime, 

Ks_(ext)_NAF, KsJnt_NAF, 

BootstraplnfoCreationTime, 

UserSecSetting* ) 



Figure 5.3: The GAA application procedure 

The steps of the GAA application procedure in Figure 5.3 are: 

Step 1 

The NAF shall send a Bootstrapping-lnfo-Request message (BIR) to the BSF. The content of the message is 
given here in the same format as in 3GPP TS 29.229 [3]. The curly brackets indicate mandatory AVPs. The 
square brackets indicate optional AVP. The address refers to the Fully Qualified Host Name (FQDN). 
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< Bootstrapping-Info-Request> : : =<Diameter Header: 310, REQ, PXY, 16777220 > 
< Session-Id > 

{ Vendor-Specif ic-Application-Id } 

{ Origin-Host } ; Address of NAF 

{ Origin-Realm } ; Realm of NAF 

{ Destination-Realm } ; Realm of BSF 

[ Destination-Host ] ; Address of the BSF 

* [ GAA-Service-Identif ier ] ; Service identifiers 
{ Transaction-Identifier } ; B-TID 

{ NAF-Hostname } ; FQDN of NAF as seen by UE 

[ GBA_U-Awareness-Indicator ] ; GBA_U awareness of the NAF 

* [ AVP ] 

* [ Proxy-Info ] 

* [ Route-Record ] 

The content of Vendor-Specific- Application-ID according [1] is: 

<Vendor-Specif ic-Application-Id> : : =<AVP header: 260> 

1* [Vendor-Id] ; 3GPP is 10415 

0*1 {Auth-Application-Id} ; 16777220 

0*1 { Acct-Application-Id} ; Omitted 

The Destination-Realm AVP is set to subscriber"s BSF. The address of the BSF is extracted from the B-TID. 

NOTE: In the case where the subscriber has contacted a NAF that is in a visited network, the NAF contacts the 
subscriber's home BSF through a Diameter-Proxy (D-Proxy) that is located in the same network as the 
NAF. The local BSF and the D-Proxy may be co-located. See 3GPP TS 33.220 [6]. 

The NAF indicates the GAA services for which the information is retrieved by GAA-Service-Identifier AVPs. 
The Bootstrapping Transaction Identifier defines the earlier bootstrapping procedure execution. 



Step 2 



In the successful case the BSF has a tuple <BJTD,IMPI,Ks, Key lifetime, Bootstrapinfo creation time, GBA- 
UserSecSettings> identified by Bootstrapping Transaction Identifier (B-TID). When the BSF receives the 
request it checks the existence and validity of the tuple for given B-TID. If checking fails the BSF sends an 
Answer message with Experimental-Result set to indicate the error type 5403. If the tuple for B-TID exists, but 
is expired, error type 5403 is also send to indicate needs for renewal of the boostrapping procedure. In successful 
case the Result-Code is set to 2xxx as defined in [1]. 

The BSF derives the key material for the ME (i.e., Ks_NAF in the case of GBA_ME, and Ks_ext_NAF in the 
case of GBA_U) and possibly the key material for the UICC (i.e., Ks_int_NAF in the case of GBA_U) 
according to the B-TID and packs them into ME-Key-Material AVP and possible UICC-Key-Material AVP. The 
ME-Key-Material contains Ks_(ext)_NAF and the UICC-key-Material contains the Ks_int_NAF key. The BSF 
select correct user"s Security Settings according the request"s GAA-Service-Identifier AVP to GBA- 
UserSecSettings AVP. If NAF grouping is used by the operator and there are one or more USSs corresponding to 
the requested GSID, then also the nafGroup attribute of USS is checked. If the NAF has sent a GAA-Service- 
Identifier that does not have corresponding user"s security settings, and the BSF is locally configured to reject 
those requests from the NAF, then the error 5402 is raised. If the NAF has sent a GAA-Service-Identifierthat 
have corresponding user's security settings, but the BSF is locally configured to reject those from that NAF, then 
the error 5402 is raised too. 

The NAF may be addressed from the UE with different FQDNs. The BSF shall check if this NAF-Hostname is 
allowed to be used for the NAF. If the NAF identified by its Origin-Host AVP is configured in the BSF not to be 
authorized to use the given NAF-Hostname, the BSF may raise the error situation 5402. The BSF may also be 
configured so that a certain NAF is not authorized to use a certain GAA-Service-Identifier. This situation may be 
also indicated by error code 5402. 



Step 3 



After that the BSF shall send a Bootstrapping-Info- Answer message (BIA) back to the NAF. 
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< Boostrapping-Info-Answer> ::= < Diameter Header: 310, PXY, 16777220 > 
< Session-Id > 

Vendor-Specif ic-Application-ld } 

Result-Code ] 

Experimental-Result ] 

Origin-Host } 

Origin-Realm } 

User-Name ] 

ME-Key-Material ] 

UICC-Key-Material ] 

Key-ExpiryTime ] 

Bootstrapinf oCreationTime ] 

GBA-UserSecSettings ] 
[ AVP ] 

[ Proxy-Info ] 
[ Route-Record ] 



Address of BSF 

Realm of BSF 

IMP I 

Required 

Conditional 

Time of expiry 

Bootstrapinf o creation time 

Selected USSs 



The BSF may or may not send the User-name AVP (IMPI) according its configuration. 

The mandatory common key material with the ME (Ks_NAF or Ks_ext_NAF) is sent in the ME-Key-Material 
AVP. The common key material with the UICC (Ks_int_NAF) is optionally sent in the UICC-Key-Material 
AVP only if the 'uiccType' tag in bsflnfo from the HSS is set to "GBA_U". 

The Key-ExpiryTime AVP contains the expiry time of the Bootstrapping information in the BSF according its 
configuration. The expiry time is represented according the Diameter Time data format in seconds that have 
passed since Oh on January 1, 1900 UTC . If a special key lifetime value is given in the 'lifeTime' tag inside the 
bsflnfo from the HSS in bootstraping procedure, it is used instead of the BSF default configuration value when 
the expiry time is calculated. 

The BootstrapInfoCreationTime AVP contains the bootstrapinfo creation time, i.e., creation time of the 
Bootstrapping information in the BSF. The bootstrapinfo creation time is represented in seconds that have passed 
since January 1, 1900 00:00:00.000 UTC. 

The BSF selects the appropriate User Security Settings (if any) to the GB A-UserSecSettings AVP from stored 
GAA-UserSecSettings in Bootstrapping information according the GBA-Service-Identifier AVPs in the request 

message. 

The procedure in the NAF when the BIA is received is described in 3GPP TS 33.220 [5], 3GPP TS 33.222 [11] and 
optionally in GAA service type specific TSs. 



Diameter application for Zh and Zn interfaces 



6.1 



Command-Code values 



The Zn interface assigns new Command-Code 310. 

The messages in Zh interface use the same Command-Code value 303 as Multimedia- Auth-Request/ Answer messages 
defined in 3GPP TS 29.229 [3] for Cx interface. 



6.2 



Result-Code AVP values 



This section defines new result code values that must be supported by all Diameter implementations that conform to this 
specification. When one of the result codes defined here is included in a response, it shall be inside an Experimental- 
Result AVP and Result-Code AVP shall be absent. 

6.2.1 Success 

Errors that fall within the Success category are used to inform a peer that a request has been successfully completed. 

The success category result codes defined in 3GPP TS 29.229 [3] for Cx interface are useless and therefore not required 
in Zh and Zn interfaces. 
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6.2.2 Permanent failures 

Errors that fall within the Permanent Failures category are used to inform the peer that the request failed, and should not 
be attempted again. 

The Permanent failure category result codes defined in 3GPP TS 29.229 [3] for Cx interface are useless and therefore 
not required in Zh and Zn interfaces. 

6.2.2.1 DIAMETER_ERRORJMPI_UNKNOWN (5401) 
A message was received by the HSS for an IMPI that is unknown. 

6.2.2.2 DIAMETER_ERROR_NOT_AUTHORIZED (5402) 

A message was received by the BSF which the BSF can not authorize. In this case the NAF should indicate to the UE 
that the service is not allowed. 



6.2.2.3 



DIAMETER_ERROR_TRANSACTIONJDENTIFIERJNVALID(5403) 



A message was received by the BSF for an invalid (e.g. unknown or expired) Bootstrapping Transaction Identifier (B- 
TID). In this case the NAF should request the UE to bootstrap again. 



6.2.2.4 



Void 



6.2.2.5 



Void 



6.2.2.6 



Void 



6.2.2.7 



Void 



6.3 



AVPs 



The AVPs defined in 3GPP TS 29.229 [3] for 3GPP IMS Cx interface Multimedia-Auth-Request/ Answer messages are 
used as they are. 

The following table describes the additional new Diameter AVPs defined for the Zh and Zn interface protocol, their 
AVP Code values, types, possible flag values and whether or not the AVP may be encrypted. The Vendor-Id header of 
all AVPs defined in this specification shall be set to 3GPP (10415). 

Table 6.1 : New Diameter Multimedia Application AVPs 











AVP Flag rules 




Attribute Name 


AVP 

Code 


Section 
defined 


Value Type 


Must 


May 


Should 
not 


Must 
not 


May 
Encr. 


GBA-UserSecSettings 


400 


6.3.1.1 


OctedString 


M, V 








No 


Transaction-Identifier 


401 


6.3.1.2 


OctetString 


M, V 








No 


NAF-Hostname 


402 


6.3.1.3 


OctetString 


M, V 








No 


GAA-Service-Identifier 


403 


6.3.1.4 


OctedString 


M, V 








No 


Key-ExpiryTime 


404 


6.3.1.5 


Time 


M,V 








No 


ME-Key-Material 


405 


6.3.1.6 


OctedString 


M, V 








No 


UICC-Key-Material 


406 


6.3.1.7 


OctedString 


M, V 








No 
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GBA_U- Awareness-Indicator 


407 


6.3.1.8 


Enumerated 


M, V 








No 


BootstrapInfoCreationTime 


408 


6.3.1.9 


Time 


M, V 








No 


NOTE 1 : The AVP header bit denoted as "M", indicates whether support of the AVP is required. The AVP header 
bit denoted as "V", indicates whether the optional Vendor-ID field is present in the AVP header. 



6.3.1 Common AVPs 



6.3.1.1 



GBA-UserSecSettings AVP 



The GAA-UserSecSettings AVP (AVP code 400) is of type OctetString. If transmitted on the Zh interface it contains 
GBA user security settings (GUSS). If transmitted on the the Zh interface it contains the relevant USSs only. The 
content of GB A-UserSecSettings AVP is a XML document which is defined in annex A. 



6.3.1.2 



Transaction-Identifier AVP 



The Transaction-Identifier AVP (AVP code 401) is of type OctetString. This AVP contains the Bootstrapping 
Transcation Identifier (B-TID). 



6.3.1.3 



NAF-Hostname 



The NAF-Hostname AVP (AVP code 402) is of type OctetString. This AVP contains the full qualified domain name 
(FQDN) of the NAP that the UE uses. This may be a different domain name that with which the BSE knows the NAF. 



6.3.1.4 



GAA-Service-ldentifier AVP 



The GAA-Service-identifier AVP (AVP code 403) is of type OctedString. This AVP informs a BSE about the support 
of a GAA-service by the NAF. According this AVP the BSE can select the right service"s user security settings. 

For 3GPP standardized services (e.g., PKI portal), the GAA-Service-Identifier (GSID) shall be in the range to 999999, 
and the currently standardized values for GSID shall be the GAA- Application-Type-Code of the particular service. The 
GAA Service Type Codes for 3GPP standardized services are defined in Annex B. 

NOTE: In the future, standardized GSID values that are different than the GAA Service Type Code may be 
standardised (e.g. to differentiate between the services "MBMS streaming" and "MBMS download"). 



Examples: 



The GSID is "1" for all PKI-portals, and "4" for all MBMS services. 



6.3.1.5 



Key-ExpiryTime AVP 



The Key-ExpiryTime AVP (AVP code 404) is of type Time. This AVP informs the NAF about the expiry time of the 
key. 



6.3.1.6 



ME-Key-Material AVP 



The required ME-Key-Material AVP (AVP code 405) is of type OctetString. The NAF is sharing this key material 
(Ks_NAF in the case of GBA_ME or Ks_ext_NAF in the case of GBA_U) with the Mobile Equipment (ME). 



6.3.1.7 



UlCC-Key-Material AVP 



The condition UICC-Key-Material AVP (AVP code 406) is of type OctetString. The NAF may share this key material 
(Ks_int_NAF in the case of GBA_U) with a security element (e.g. USIM, ISIM, etc..) in the UICC. Only some GAA 
applications use this conditional AVP. 



6.3.1.8 



GBA U-Awareness-lndicator 



The conditional GB A_U-Awareness-Indicator AVP (AVP code 407) is of type Enumerated. The following values are 
defined. 
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NO (0) The sending node is not GBA_U aware 

YES(l) The sending node is GBA_U aware 

The default value is i.e. absence of this AVP indicates that the sending node is not GB A_U aware. 

6.3.1 .9 BootstraplnfoCreationTime AVP 

The BootstraplnfoCreationTime AVP (AVP code 408) is of type Time. This AVP informs the NAF about the 
bootstrapinfo cration time of the key. 

6.4 User identity to HSS resolution 

The User identity to HSS resolution mechanism enables the BSF to find the address of the HSS that holds the subscriber 
data for a given subscriber when multiple and separately addressable HSSs have been deployed by the network 
operator. The resolution mechanism is not required in networks that utilise a single HSS or when an BSF is configured 
to use pre-defined HSS. 

The resolution mechanism is based on the Subscription Locator Function (SLF) and is equivalent to that described for 
the Cx/Dx interface described in 3GPP TS 23.228 [12]. The BSF accesses the subscription locator via the Dz interface. 
The Dz interface is always used in conjunction with the Zh interface. The Dz interface is based on Diameter. Its 
functionality is implemented by means of the routing mechanism provided by an enhanced Diameter redirect agent, 
which is able to extract the Subscriber identity from the received requests. 

To get the HSS address the BSF sends to the SLF the Zh requests aimed for the HSS. On receipt of the HSS address 
from the SLF, the BSF shall send the Zh requests to the HSS. The BSF may store the HSS address and use it in further 
requests associated to the same Subscriber. 

In networks where the use of the user identity to HSS resolution mechanism is required and the BSF is not configured to 
use predefined HSS, each BSF shall be configured with the address/name of the SLF implementing this resolution 
mechanism. 
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7 Use of namespaces 



This clause contains the namespaces that have either been created in this 3GPP specification, or in 3GPP specification 
3GPP TS 29.229 [3] or the values assigned to existing namespaces managed by lANA. 

7.1 AVP codes 

This specification reserves the 3GPP vendor specific values 10415:400-499 and actually assign values 10415:400-408 
for the GAA from the 3GPP AVP Code namespace for 3GPP Diameter applications ([8]). The 3GPP vendor specific 
AVP code space is managed by 3GPP CN4. See section 6 for the assignment of the namespace in this specification. 

Besides the Diameter Base Protocol AVPs [1] this specification reuses the following AVPs from 3GPP TS 29.229 [3]: 

Authentication-Session-State, User-Name, SIP-Auth-Data-Item and SIP-Number-Auth- 
Items. 

7.2 Experimental-Result-Code AVP values 

This specification reserves Experimental-Resuh-Code AVP values 10415:2401-2409 and 10415:5401-5409. See section 
6.2. 

7.3 Command Code values 

Only Command-Codes 310 and 303 from 3GPP TS 29.229 [3] is used in this specification. 

This specification reuses only the Command-Code value, not the content of the original specification. The AVPs, that are 
defined required in TS 29.229 [3], but are not needed in Zh or Zn interfaces, are removed and are therefore not required in 
Zh or Zn interface messages. All new AVPs for GAA are defined optional although they may be mandatory in GAA 
viewpoint. 

This specification does not assign new command codes to the 3GPP TS 29.229 [3]. 
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Annex A (normative): 
GBA-UserSecSettings XML definition 

This annex contains the XML schema definition for an XML document carrying the GBA User Security Settings inside 
GBA-UserSecSettings AVP in Zh and Zn interface. 

<?xml version="l . 0" encoding="UTF-8 " ?> 

<xs : schema targetNamespace=" guss-schema-of-3gpp-gaa" 

xmlns : tns=" guss-schema-of-3gpp-gaa" 

xmlns :xs="http: //www.w3 . org/200 l/XMLSchema" 

elementFormDefault=" qualified" 

at t r ibut eFormDefault= "ungual if ied"> 

<! — This import brings in the XML language attribute xml:lang — > 
<xs : import namespace="http : //www . w3 . org/XML/ 19 98 /namespace" 
schemaLocation="http : //www . w3 . org/200 1/xml . xsd"/> 

<! — The whole user"s GBA specific data set — > 
<xs : complexType name="guss"> 
<xs : sequence> 

<xs:element ref ="bsf Inf o" minOccurs=" " /> 
<xs:element ref ="ussList " /> 

<xs:any processContents=" lax" minOccurs=" " maxOccurs="unbounded" /> 
</xs : sequence> 

<xs : attribute name="id" type="xs : string" /> 
</xs : complexType> 

<! — BSF specific information element — > 
<xs : complexType name="bsf Inf o"> 
<xs : sequence> 

<xs:element name="uiccType" type="xs : string" minOccurs=" " /> 
<xs:element name="lif eTime" type="xs : integer " minOccurs="0 " /> 
<xs : any processContents="lax" minOccurs="0 " maxOccurs="unbounded" /> 
</xs : sequence> 
</xs : complexType> 

<! — List of all users individual User Security Settings — > 
<xs : complexType name="ussList "> 

<xs : sequence minOccurs="0 " maxOccurs="unbounded"> 
<xs:element ref="uss"/> 

<xs:any processContents=" lax" minOccurs=" " maxOccurs="unbounded" /> 
</xs : sequence> 
</xs : complexType> 

<! — User Security Setting data — > 
<xs : complexType name="uss"> 
<xs : sequence> 

<xs:element ref="uids"/> 
<xs:element name="f lags "/> 

<xs:any processContents="lax" minOccurs="0 " maxOccurs="unbounded"/> 
</xs : sequence> 

<xs : attribute name="id" use="required" type="xs : string" /> 
<xs : attribute name="type" use="required" type="xs : int "/> 
<xs : attribute name="naf Group" use="optional" type="xs : string" /> 
</xs : complexType> 

<! — User Public Identities for authentication — > 
<xs : complexType name="uids"> 

<xs : sequence minOccurs=" 1 " maxOccurs="unbounded"> 
<xs: element name="uid" type="xs : string" /> 
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<xs:any processContents="lax" minOccurs="0 " maxOccurs="unbounded" /> 
</xs : sequence> 
</xs : complexType> 

<! — GAA Application type specific Authorization flag codes — > 
<xs : complexType name="f lags "> 

<xs : sequence minOccurs=" " maxOccurs="unbounded"> 
<xs:element name="flag" type="xs : int "/> 

<xs:any processContents="lax" minOccurs="0 " maxOccurs="unbounded"/> 
</xs : sequence> 
</xs : complexType> 

</xs : schema> 



Note: The <xs:any> elements within the complex types allow for compatible extensions in future releases. 
The values are: 

• The value of the attribute 'id' in the element 'guss' is the the same as user"s IM Private Identity (IMPI) used 
in User-Name AVP. 

• The value of the attribute 'id' in the element 'uss' is the same as service identifier (GSID) used in GAA- 
Service-Identifier AVP. 

• The value of the element "uiccType" in the element "bsflnfo" is: 
GBA to indicate the basic case, or 

GBA_U to indicate that generation of Ks_int_NAF is also required in the BSF. 
The default value is GBA. 

• The value of the element "lifeTime" in the element "bsflnfo" indicates a user specific key lifetime (duration 
in seconds). If the lifeTime element is missing the default value in the BSF is used. 

• The value of attribute "type" in the element "uss" is GAA service type code defined in annex B. 

• The value of attribute 'nafGroup' in the element 'uss' is an operator internal group designator for a NAF 
group the USS is valid for. If this attribute is missing then only the attribute 'id' is used for selection of this 
element. 

• Values of the element "uid" are user"s public authentication identities from the HSS. 

• Values of element 'flag' are user"s authorization flag codes from the HSS for GAA service type indicated in 
the type attribute in the parent uss element. If an authorization flag exist the NAF have permission to give 
the corresponding service, otherwise not 

In the following illustrative example the values are italised and underlined. The content of one User Security Setting 
tag is boxed. 

<guss id=" 35 8 500004 8 3 655 I@ims.mnc050.mcc35 8. 3Qppnetwork. org " > 
<bsf Info> 

<lifeTime>8 64 00</lifeTime> 
</bsf Info> 
<ussList> 



<uss 


id="l" type="l"> 

<uids> 

<uid>tel :358504836551</ui 
<ui d> J a uri . laitinenQnokia 

</uids> 
<flags> 

<flag>l</fJag> 


d> 

. co/n</ui 


d> 


</flags> 
</uss> 







</ussList> 
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</guss> 

The above GAA User Security Settings example for user '358500004836551 @ ims.mnc050.mcc358.3gppnetwork.org' 
defines that for PKI-Portal (GAA service type code is 1) services are allowed for user identities 'tel:35850483655r and 
'lauri.laitinen@nokia.com' and authentication is allowed (flag 1 exists) but non-repudiation is not allowed (flag 2 is 
missing) to NAFs that provide the GAA service identified by "1" GAA Service Identifier. The BSF shall not generate 
UICC-Ks, because uiccType is missing. A special key lifetime defines that athe duration after which the key expires is 
86400 seconds 
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Annex B (normative): GAA Service Type Codes 

The GAA Service Type Code values are used in GAA to indicate interpretation, coding and usage of GAA service type 
specific data. 

For examples each GAA service type may have their own set of authorization flags. Meaning and coding of these flags 
are defined in Annex C. There may also be proprietary GAA service types with their own definitions in the future. 

Code values - 999999 are reserved for standardized GAA service types. 

The following values are defined for standardized GAA service types with 3GPP specification: 

Unspecific service 

1 PKI-Portal 

2 Authentication Proxy 

3 Presence 

4 MBMS 

Default value is 0. An unspecific service may or may not have user security settings containing or not a list of public 
identities. An unspecific service cannot have specified authorization flags or other service type specific data. 
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Annex C (normative): GAA Authorization flag codes 

For GAA services which have a defined set of special authorization flag codes the following rule holds: The service 
specified by the GAA authorization flag codes is allowed for a user only if user"s user security setting contains that 
flag. 

The following standardised GAA service types that are listed in previous annex B have the following special 
authorization flag codes: 

PKI-Portal (1) 

1 Authentication allowed 

2 Non-repudiation allowed 
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Annex D (informative): 
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Date 
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003 


1 
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005 
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1 
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012 
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1 
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1 
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